Coin tracking

I would like to start a discussion and brainstorming session on the topic of coin tracking/tainting or as I will call it here, "redlisting". Specifically, what I mean is something like this:

Consider an output that is involved with some kind of crime, like a theft or extortion. A "redlist" is an automatically maintained list of outputs derived from that output, along with some description of why the coins are being tracked. When you receive funds that inherit the redlisting, your wallet client would highlight this in the user interface. Some basic information about why the coins are on the redlist would be presented. You can still spend or use these coins as normal, the highlight is only informational. To clear it, you can contact the operator of the list and say, hello, here I am, I am innocent and if anyone wants to follow up and talk to me, here's how. Then the outputs are unmarked from that point onwards. For instance, this process could be automated and also built into the wallet.

I have previously elaborated on such a scheme in more detail here, along with a description of how you can avoid the redlist operator learning anything about the list's users, like who is looking up an output or who found a match.

Lately I was thinking about this in the context of CryptoLocker, which seems like it has the potential to seriously damage Bitcoin's reputation. The drug war is one thing - the politics of that are very complex. Extortion is something else entirely. At the moment apparently most people are paying the ransom with Green Dot MoneyPak, but it seems likely that future iterations will only accept Bitcoin.

Specifically, threads like this one concern me a lot. Summary: a little old lady was trying to buy bitcoins via the Canada ATM because she got a CryptoLocker infection. She has no clue what Bitcoin is beyond the fact that she needed some and didn't know what to do.

The risk/reward ratio for this kind of ransomware seems wildly out of proportion - Tor+Bitcoin together mean it takes huge effort to find the perpetrators and the difficulty of creating such a virus is very low. Also, the amount of money being made can be estimated from the block chain, and it's quite large. So it seems likely that even if law enforcement is able to take down the current CryptoLocker operation, more will appear in its place.

I don't have any particular opinion on what we should talk about. I'm aware of the arguments for and against such a scheme. I'm interested in new insights or thoughts. You can review the bitcointalk thread on decentralised crime fighting to get a feel for what has already been said.

I think this is a topic on which the Foundation should eventually arrive at a coherent policy for. Of course I know that won't be easy.

I'm not technically savvy, but wouldn't the solution be CryptoLocker counter-measures on client computers?

I'm all for private justice, with operators being judges, but I'm not sure how this doesn't turn into "pay us x% to be removed from the redlist". Why is the evidential burden on the defendant rather than the accuser?

The CryptoLocker thing is indeed a nasty thorn in Bitcoin's side, but it shouldn't be. The blame should be put on CryptoLocker, not the currency itself. If Bitcoin is just a currency, like dollars, then blame the extortionist. Bitcoin's ease of use, unfortunately makes it easier for virus creators to receive the money.

But yes, people won't see it like this. I definitely foresee people being introduced to Bitcoin through CryptoLocker and have an unfortunate bad introduction to Bitcoin.

A redlist, they way I see it, is opt-in, so it does not decrease the fungibility of Bitcoin. But I also don't see how it could be feasible if addresses with taint could just shuffle the coins around until there is no red-flag anymore.

I think the better question should be, and could be discussed is: why is there a need for this? Is it because we want a feature on top of Bitcoin that hampers criminal activity? I see in that post that the definition of criminal activity is very wishy-washy in itself: which makes it very difficult. IP black-listing has more straightforward applications, and reasons for why you would flag participants in a system.

I'll liken this topic to how US tried (tries) to control the internet (eg SOPA). The internet isn't the problem. It is the people that are pirating the movies. You can't stop pirating by tampering with the internet. I personally don't have a problem with red-listing, as it doesn't decrease my fungibility, but I'm not entirely sure this is the right approach to solving the underlying problems. I generally don't like criticising ideas if I don't have a better solution. But I don't have one. It is a very, very difficult problem, and thanks for bringing it up here on the foundation forums.

For lack of an alternative, I'd venture for the following policy:

Bitcoin is cash. Real cash is used for criminal activities all the time. There's a reason why 90% of dollars bill contain traces of cocaine. Yet, you do not stop using it to buy food to put on the table for your family.

Mike, thanks for posting this. It is a big looming issue where consumer protection and law enforcement intersect. My general thoughts on the subject have been that there should be no attempts to decrease potential fungibility of BTC (i.e. at the protocol level) but that private actors will almost certainly start going down this path.

I would love to see the Foundation put forth a white paper on best practices for wallet services, miners and exchanges on how to identify and handle suspect transactions. There is an opportunity for us to shape that discussion early through that kind of deliverable.

Having said that, I think balancing the interests of fungibility, law enforcement and consumer protection is going to be very tricky and a moving target. I'd suggest putting our a working document fast that acknowledges the tensions. Maybe a "living document" with tiered options based on the private actors willingness/desire to be aggressive in policing the transactions that flow through their systems.

I'm not technically savvy, but wouldn't the solution be CryptoLocker counter-measures on client computers?

That's certainly a solution yes, but unfortunately it's sort of like saying the solution to burglary is having locks on doors and windows, so we don't need the police. Most good strategies require a combination of both defence and offence to be effective. You want defence to raise the costs of an attack high, and then offence to deal with the small minority who decide to try anyway.

In this case, there are lots and lots of people who did not get infected by CryptoLocker because they had the right defences in place. This is a good thing. Unfortunately even if 99% of people have working defences, 1% of the rest is still an awful lot of people given the size of the internet.

That's a great question. Actually if they don't crack down on these transactions, they can be considered guilty of money laundering and go to jail for potentially longer than the CryptoLocker guys themselves would, which is ridiculous but that's how Congress likes to write laws (basically the more modern the law, the more extreme the punishment attached to it). So I'd assume they either will start flagging these transactions somehow, or eventually they'll go the way of Liberty Reserve.

"Bitcoin" is not a financial institution and being just an inanimate object cannot be found guilty of money laundering, or anything at all. However from the perspective of people in law enforcement and government, it represents a leak in the system they created.

Quote

I'm all for private justice, with operators being judges, but I'm not sure how this doesn't turn into "pay us x% to be removed from the redlist". Why is the evidential burden on the defendant rather than the accuser?

That's a great point. I think spam filter RBL's are an interesting piece of prior art here. A few really sleazy RBL's have in the past charged for delisting - they're generally treated as garbage and people who use them are told to stop. People don't pay up, and the people using those lists end up suffering from stupid false positives and abandoning the list.

In theory a redlist operator should be the same. If transactions are being flagged due to abusive behaviour by the list operator, people would stop subscribing to it.

Quote

But yes, people won't see it like this. I definitely foresee people being introduced to Bitcoin through CryptoLocker and have an unfortunate bad introduction to Bitcoin.

Yes, indeed. It's not really the same. If these guys were physically collecting ransom payments with cash, it'd be easy to set up a sting operation with undercover police that capture them when they try to collect the cash. With Bitcoin, there is no such possibility.

Quote

I think the better question should be, and could be discussed is: why is there a need for this? Is it because we want a feature on top of Bitcoin that hampers criminal activity?

I am not sure there is. But playing the devils advocate, here are several reasons you might consider:

If you look at something like CryptoLocker, it's really enabled by Tor and Bitcoin. The MoneyPak thing is a bit of a distraction - we know from previous cases like this that either Green Dot finds a way to attack the CL guys, or they will be considered criminals themselves. Long term CL type operations need fully anonymous infrastructure with no third parties that might gang up on them. Analogies to cash don't really work - it's a unique threat.

CryptoLocker is really unbelievably evil. With Silk Road there was lots of discussion about whether it was really a bad thing or not. I hope that won't crop up with CryptoLocker because it's so obviously bad.

If Bitcoin becomes strongly associated with crime and abuse, lots of legitimate users will go away and it will start a downward spiral. We can see this happening with Tor. Tor has never tackled its abuse problem and as result is now widely blocked by all kinds of networks, everything from Google/Facebook to the Debian Wiki and the EU Parliament websites block Tor exit nodes. Tor users love to bitch about this and complain to site operators about being blocked, but it's ultimately their own fault - they're using and building a system that tries to wash its hands of abuse. In the real world that doesn't work and results in other people shunning you.

Quote

Just like a crook (or a freedom fighter) today might have a hard time finding banks willing to move his funds, he might find it difficult in the future to find miners that will accept his transaction

For as long as miners are anonymous, presumably some miners would process such transactions so it would just slow things down. But there isn't really any reason to avoid mining these. It's not a part of how this is supposed to work. The assumption is NOT that the owner of redlisted coins is bad or criminal in some way. It's just a flag that says, hey, if you'd like to help in the investigation please get in touch because maybe the criminal is in your vicinity, trade-wise. Implemented properly, it should not affect fungibility.

Applying centralized / political / technical solutions to what are essentially behavioural problems has a rather dismal track record. Wasted effort and unintended consequences are the usual hallmarks.

That said, I have to admit I don't have any satisfying answers. "Education and awareness" campaign maybe?

Fundamentally (and Bitcoin's reputation aside), efforts like these typically boil down to "protecting people from themselves". I do wish there was a systematic answer to these kinds of tragic experiences but the only effective remedy I've ever seen is the School of Hard Knocks. Painful / expensive lessons learned. I'm sure we've all been there.

My guess is this kind of problem will work itself out eventually, in a distributed, dynamic, organic, evolving way that hasn't occurred to anyone yet. We'll never be completely rid of it though.

That said, I have to admit I don't have any satisfying answers. "Education and awareness" campaign maybe?

As a start, this is definitely a good idea, along with Patrick's idea for a whitepaper on general good practices when working with Bitcoin.

Mike, what I'm thinking: Bitcoin is unfortunately being thrown in front of the bus (for the most part due its great use for transferring value) with regards to CryptoLocker case. Is it our job to mitigate this? I guess we should do something, because the Tor use-case is a valid lesson. Exit nodes are being blocked, but Tor itself is not 'evil'. Bitcoin could be unwillingly pulled down the drain. I'm just wondering whether a redlist is the correct approach. My gut feeling is, is that it is not. But it's only that. Like I said, I don't have another solution.

The best we can currently do, is to educate and provide a soft-landing for people finding Bitcoin through CryptoLocker. For other use-cases, like stolen coins? No idea. It's such a gray area. Very difficult.

Patrick, what sort of best practices would you be thinking of? I'm not sure what best practices would make much difference here, in the absence of some kind of new system.

I wouldn't say exactly we're being "thrown under the bus". Society has always had to balance the need for privacy with the need for accountability and it always results in big fights In this case, Bitcoin (like Tor and most things developed by the tech community) is very pro-privacy and most people don't want to think about the accountability side, because it's complex and messy and nobody trusts their governments anymore and nobody knows any really convincing solutions anyway. Making things more private is "easy" because you just find a data leak and eliminate it. Making things selectively private is a greenfield area of research. It would require new solutions to be invented from scratch.

CryptoLocker is difficult because it presents very few angles for attack. Things like the Silk Road are inherently unstable because they involve large numbers of people executing lots of complicated transactions over a long period of time, and each one of them has exposure to supply chains, etc. There's lots of possible mistakes they can make, so there are lots of ways that LE can attack it. CryptoLocker, on the other hand, never interacts with the physical realm at all, and could easily be run by just one person. What it does is very simple and almost entirely automated. How do you even start investigating that? Where are the leads? I'm hoping the MoneyPak link turns something up. They're being used because they let you load up reloadable debit cards, so he can go grab some pre-paid cards and ask victims to load it up, then cash it out either by buying things online or by using an ATM. At least I think that's how it works.

But even if MoneyPak turns out to be a weak link this time, the next CryptoLocker will simply rely exclusively on Bitcoin. Then what?

Let's try and game out what would happen if a redlisting scheme were implemented. Actually I'm thinking maybe "redlisting" is also a bad term, perhaps "marking" is better and more accurately reflects its neutrality. "Colouring" is already taken as a phrase. Let's call it marking.

I imagine that the first problem would be getting exchanges on board. Some would be willing but too busy (Mt Gox can barely fix serious protocol bugs in their implementation, let alone implement new features). Others would be unwilling or just unresponsive. Quite possibly, just getting exchanges to implement this would take months, or a year or more.

What do exchanges do when they encounter marked coins? Basically, they would just be expected to make a note of which account they were loaded into, and then report back to the mark list operator who would then clear the mark for those outputs. Whoever bought the coins would receive unmarked coins. If an account were to repeatedly receive CL marked coins, a SAR could be filed.

This program would presumably be public, so CL would respond. The most obvious counter-move is to use a public mixing service like the one run by blockchain.info. These mixes aren't truly P2P, so the b.i server (or clients) could check and refuse to mix marked coins - but the problem is that there's a time delay between a payment being made and a victim reporting it. If a report comes in hours or days after a payment was made, then propagating the mark through the mix isn't very helpful - you'd end up marking all the users who took part. This isn't inherently a problem because a mark is just a signal, not an accusation of guilt. If 9 users deposit marked coins at an exchange once, and the 10th user does it 20 times, it doesn't take a genius cop to focus an investigation on the 10th guy.

However, we can see that any such scheme would be very sensitive to how quickly a payment could be reported and verified to be the result of extortion. This leads to another obvious counter-measure: the CL guys can refuse to unlock peoples files until a few days after receiving a payment, and they can say they will refuse to unlock files at all if the payment is reported. Thus the victim must wait until their files are genuinely unlocked to report, and by that time, the money may have passed through many hands.

I guess this counter-measure doesn't necessarily matter though - even if the coins have passed through many hands by the time the original payment is reported, subscribers can still notice that a prior payment has become marked. Retroactive marking is not inherently problematic. In this case, a large tree of outputs would become marked due to the report, and then lots of the marks would be immediately cleared again (within a few minutes I'd hope) once the "nexuses" clear the marks by making a record of the suspicious users.

If I was extorting money this way I would look to disperse what I had taken through a mixing service as a starting point to diffuse the tracking, I note what you say above about mixing services but would all comply if there wasn't something in it for them. Churn that some more through normal transactions and we are presumably talking about pretty well dispersed redlists, very slightly pink if you will

If you buy into Bictoin for the first time after agonising about whether to make the jump and a proportion of the XBT you have bought is redlisted it would be quite disconcerting. Not to speak of the reputation of the exchange or party you bought them from.

If XBT went down this track, one solution for the perpetrator would be to move to an alt coin that doesn’t and trade back to BTC. Then I suspect that alt coin would rise in utility even if it was sadly for nefarious purposes. And If I was trying to launch an alt coin offering greater anonymity this would be an attractive option.

None of the above are helpful I know but just considerations that came to mind. I think security has to ultimately be left to people selling equipment to the vulnerable, even if we are now talking about more serious consequences than a simple virus. I suspect system recovery solutions will need to mature and simplify to mitigate these types of attack.

I think your comments are helpful. This is what I asked for - brainstorming about what would happen.

My expectation is that if people were routinely obtaining marked coins from a particular source, they would stop using that source or ask the source to get them unmarked before handing them on.

The unmarking process could be as simple as a phone verification (i.e. receive a phone call delivered to a mobile number), it does necessarily have to be complicated. The point is to be able to follow up later, to gather signals and leads for an investigation. Such a scheme is gameable of course, but it's a start.

For the alt coin case, assuming it works like Bitcoin it's pretty trivial to propagate the marks through them, although an alt-coin used exclusively by criminals would probably not be a very useful tool, even for bad guys.

My expectation is that if people were routinely obtaining marked coins from a particular source, they would stop using that source or ask the source to get them unmarked before handing them on.

I guess it would make sense for them to do the checking cleansing a registration/unmarking for the sake of their reputation.

Mike Hearn, on 12 November 2013 - 05:12 PM, said:

For the alt coin case, assuming it works like Bitcoin it's pretty trivial to propagate the marks through them, although an alt-coin used exclusively by criminals would probably not be a very useful tool, even for bad guys.

Hmm not so sure, a more anonymous alt coin is a pretty good sell.

Looking at the sequence of events.

1. Alice get a ransom note, sends the coins and tells someone important.2. Bad man mixes those coins and tries to sell them on an exchange or localbitcoins etc.3. At least some of those are in the system because the exchange was not alerted soon enough or was not looking for them.4. Bob then buys them and find some of his money is red, freaks out or is sensible and registers the information.

Is there really any need for Bob to know they have received bad money if someone important knows the original transaction ID that is on the blockchain?

At step 3 the exchange is supposed to notice that an inbound tx became marked, update their own databases/file an internal ticket/do whatever they want to do and then immediately clear the mark from that tx onwards. So Bob would not see anything in his wallet unless he managed to race that process.

At step 3 the exchange is supposed to notice that an inbound tx became marked, update their own databases/file an internal ticket/do whatever they want to do and then immediately clear the mark from that tx onwards. So Bob would not see anything in his wallet unless he managed to race that process.

OK makes sense Mike. The trade off would therefore appear, in making it incumbent on overstretched exchanges (as you eluded to) to know what is going through, against whatever cost there is to Bob in terms of hastle/concern in sorting it out. I suspect it would be good to sound out the larger members of the commercial groups on here to understand their views about the reputational risk, and operational cost.

This is an interesting mechanism and seems to have potential to identify bad actors. While I like the idea of shining light on dirty things for disinfecting purposes, I have a some questions about how such a system would work in practice:

- False positives and spam - it seems like redlists would need to maintain reputation to be relevant to their community. Ultimately, this means that users submitting a report would need to back their claims up for operators to provide useful services. Ostensibly, redlist operators would need to develop a reporting/verification/ or bonding process, correct? It seems that mechanisms that flag coins without providing some skin in the game or "cost" will generate more noise than signal under some circumstances.

- Incentives to use. It seems that bringing about "good outcomes" would require users motivated by... something. Whether the reason for this is civic duty or because there's a monetary incentive for verified information leading to a resolution, the incentives must exist. Even though many good outcomes could result from a system built around this concept, I foresee potential ethical issues baked into a system for this purpose. Also, while the technology behind this can be engineered to be fully voluntary, one could foresee the possibility of penalties levied upon people in a certain jurisdiction X who ignored a report by operator Y that is recommended by X (though this would have to be proven). Or is this putting the cart before the horse?

On a separate note, this mechanism could be used for other sorts of other coin coloring as well, right?

Re: FP's and spam. Yes, this is the question of "someone reported their coins as stolen. are they really stolen?". I think for things like CryptoLocker this wouldn't be a big problem because there are enough victims that a bit of basic common sense can flush out the suspicious reports (if there are any - not sure why someone would fake this). To verify a report you can just ask for a screenshot of the app requesting the key or a few minutes of access to the machine to confirm infection.

For generalising the scheme to other crimes, how to separate bad reports from good is something that'd have to be figured out before launching that list. There's no good general approach.

Re: incentives. For the case of CL I'd hope no incentive is needed.

Re: being forced to pay attention to markings. With the right cryptographic protocols we can engineer it so the redlist/mark list operator never finds out when there is a hit, thus, there can be no way to find out if someone ignored a report (except of course by visiting someone who didn't ignore it, asking them where they got the coins from and working backwards manually, but this is a lot of effort and similar to the warrant system today).

I'm gonna weigh in on this subject from an exchange PoV, once I spend the time to read every post here properly.

At a generalised response (will get a better response later).

Quote

Re: incentives. For the case of CL I'd hope no incentive is needed.

Personally .. totally agree! From a business sense, unfortunately the opposite. Will need to weight the pro's and cons. This point is heavily dependent upon other exchanges. If 1 exchange adopts to a con for business, then it will eventually fail vs others businesses that do not adopt. Which will eventually put that primary exchange out of business.

It does need an incentive, or, the majority of exchanges adopting. Which to be honest, I can't see happening, just because they feel its in the best interest of people. I mean, already (in the last half year) I've had a fair few 'attacks' and very un-friendly like 'attitudes' from other bitcoin exchanges/businesses. So, no, I can't see this happening without incentives.

With the right incentives and not needing a massive amount of manpower and engineering, then yes, I can see it being adopted. Or, the lack of ability for other exchanges to 'one up' an exchange that adopts such practices, that would also be an incentive in itself. Unfortunately, though I personally promote as many exchanges as possible, not everyone has the same philosophy, and its a dog eat dog world when others are like that.

If my opinion can be of any value, I think there's promising ideas here, but this is the kind of things that needs to be carefully designed. I see some problems with this idea but I have no constructive solutions yet, so I'd rather mention another "coin tracking" system I imagined recently, in case it makes sense:

Authorities would then immediately know what financial institution is processing a specific payment involving an address they are monitoring, and they could use the established legal system to query information. Maybe this can be kind of a simple "backward-compatible" solution until Bitcoin payments rarely use third parties and/or CoinJoin becomes widely used.

Requiring an exchange to hand over all addresses would sort of work, but it's not ideal - we can do much better if we design systems ourselves (where by "better" I mean, better privacy, more effective outcomes, etc).

Also, any system based only on exchanges isn't going to be effective. As the economy develops coins will circulate internally for much longer before hitting an exchange, and bad guys will be able to buy what they want without having to change currencies. That means individuals and merchants need to be able to take part as well, if they want to. A system based on checking in with a list server using anonymising protocols makes more sense from a design perspective.

I don't see any reason why an exchange that implements this system would be uncompetitive (except that implementing it would have a small cost, but with smart software this can be minimised). It doesn't imply any extra work or inconvenience for end users, unless they deposit marked coins. But such deposits are just a signal. If there are strong reasons to believe that a client doesn't have any information that could be helpful, the signal can be ignored and the marks cleared. The goal here is not to require or force anyone to do extra work or be inconvenienced.